13 phishing attack types and how to protect your business against them
Phishing attacks have existed since the internet’s infancy. The earliest phishing attacks began in the mid-1990s, using AOL to collect passwords and credit card numbers. Today’s cybercriminals utilize increasingly sophisticated social engineering techniques.
In essence, phishing is a social engineering attack that employs deception to persuade someone to act against their best interests. Organizations can better safeguard their consumers and data if they understand the thirteen types of phishing attacks.
Whale phishing, also known as CEO fraud or whaling, is another sort of corporate phishing that exploits OSINT. Malicious actors conduct research on the organization’s CEO or another senior leadership member via social media or the corporate website. They then use a similar email address to impersonate the victim. The email may request that the recipient make a payment or review a document.
Smishing is a type of assault that is carried out by text messaging or short message service (SMS). Smishing is a typical practice that involves sending an SMS message to a cell phone that contains a clickable link or a return phone number.
A common smishing attack is an SMS message that appears to be from your financial institution. It informs you that your account has been compromised and that you must take quick action. The attacker requests verification of your bank account number, SSN, and other personal information. Once the attacker has obtained the details, he or she will have complete control of your bank account.
Voice phishing, or “vishing,” occurs when a cybercriminal phones a phone number and instills a false feeling of urgency, compelling the victim to pursue a course of action that is not in their best interests. These calls typically occur during times of stress. For instance, many people receive bogus phone calls during tax season from individuals posing as the Internal Revenue Service (IRS), saying that they wish to conduct an audit and require a social security number. Due to the call’s stress and haste, the recipient may be duped into disclosing sensitive information.
4. Email phishing
Email phishing, often known as “deception phishing,” is one of the most well-known attack types. Malicious actors send emails to users posing as a well-known brand, employ social engineering techniques to create an illusion of immediacy, and then convince users to click on a link or download an item.
Traditionally, the links lead to fraudulent websites that steal user credentials or install malicious code, referred to as malware, on the user’s device. The downloads, which are often PDFs, contain harmful content that installs the malware when the user opens the document.
5. Search engine phishing?
Search engine phishing, also known as SEO poisoning or SEO Trojans, is a technique used by hackers to achieve the top ranking on a search engine. By clicking on their link within the search engine, you will be directed to the hacker’s website. Then, when you connect with the site and/or enter sensitive data, threat actors can take your information. Hacker sites can impersonate any type of website, although the most common targets are banks, money transfer services, social media platforms, and e-commerce sites.
6. HTTPS phishing
Because it utilizes encryption to boost security, the hypertext transfer protocol secure (HTTPS) is frequently referred to as a “safe” link to click. Because HTTPS establishes authenticity, most reputable organizations now utilize it instead of HTTP. On the other hand, Cybercriminals are now incorporating HTTPS into the links they include in phishing emails.
7. Angler phishing
As malicious actors shift their focus from attack vector to attack vector, social media has become another popular venue for phishing attempts. As with vishing and smishing, angler phishing occurs when a cybercriminal uses the notifications or direct messaging functions of a social networking program to tempt a victim into taking action.
Pharming is more technical and frequently more difficult to detect than other forms of fraud. The malicious actors take control of a Domain Name Server (DNS), which is the server that converts natural language URLs to IP addresses. When a user fills in the website address, the DNS server sends the user to an IP address for a malicious website that may appear legitimate.
9. Watering hole phishing
Another sophisticated phishing assault, watering hole phishing, begins with malicious actors conducting research on the websites frequently visited by a company’s employees, then infecting the IP address with malicious malware or files. These could be websites that give industry news or websites for third-party vendors. When a person accesses a website, the malicious malware is downloaded.
10. Evil twin
An evil twin phishing attack impersonates a legal WiFi hotspot in order to intercept data during transmission. When a user connects to the bogus hotspot, hostile actors can conduct man-in-the-middle or eavesdropping attacks. This enables them to capture data such as login passwords or other sensitive information that is transmitted across the connection.
11. Clone phishing
Another type of targeted email phishing assault, clone phishing, makes use of previously used services to initiate the undesirable action. Malicious actors are familiar with the majority of business programs that rely on users clicking links as part of their daily activity. They frequently conduct research to determine which services a firm utilizes on a regular basis and then send targeted emails that look to originate from these services. For instance, because many firms rely on DocuSign to issue and receive electronic contracts, unscrupulous actors may produce bogus DocuSign emails.
12. Pop-up phishing
Although the majority of people use pop-up filters, pop-up phishing remains a possibility. Harmful actors can inject malicious code into the little notice windows referred to as pop-ups that appear when users visit websites. Pop-up phishing has evolved to make use of the web browser’s “notifications” capability. When a user visits a website, for example, the browser prompts the user with “www.thisisabadlifechoice.com wishes to display notifications.” When the user selects “Allow,” malicious code is installed via the pop-up.
13. Spear phishing
While spear phishing makes use of email, it is a more targeted approach. Cybercriminals begin by gathering information using open-source intelligence (OSINT) from published or publicly available sources such as social media or a company’s website. They then target specific persons inside the organization using legitimate names, job roles, or work telephone numbers in order to fool the receiver into believing the email is from someone else within the firm. Finally, believing that this is an internal request, the recipient does the action specified in the email.
How to prevent phishing
Although phishing begins with social engineering techniques, certain more advanced techniques can be difficult for consumers to identify. Multiple actions can help limit phishing risks by preventing hostile actors from successfully entering systems, networks, and software.
Train your employees
The first line of defense is to ensure that staff receive the appropriate training to protect data. As hostile actors’ techniques improve, you should provide training that goes beyond the standard “phishing emails” approach. Any training on phishing awareness should also cover emerging techniques, such as watering hole phishing attempts.
Utilize email filtering
Although email filters are typically linked with “spam filters,” they can also search for additional dangers indicative of a phishing effort. Choosing the appropriate email filtering system can assist in reducing the number of harmful phishing emails that reach users.
Install website alerts in browsers
It is more critical than ever to safeguard against rogue websites. Recognizing that organizations are filtering emails more deliberately, fraudsters are increasingly concentrating their efforts on website coding. Ascertain that end users’ browsers notify them of potentially dangerous websites.
Restriction of internet access
Access control lists (ALCs) are another technique for mitigating the dangers associated with rogue websites. You can configure your networks’ access restrictions to “deny all” access to specific websites and web-based apps.
Multi-factor authentication should be required
Due to the high frequency with which bad actors attempt to obtain user credentials, enabling multi-factor authentication can help limit this risk. You wish to require users to enter at least two of the following when logging into your networks, systems, and applications:
- Something they know: a password or passphrase
- Something they possess: a device or token (an authentication application installed on a device, a keycard, or a code sent to a smartphone)
Keep an eye out for and remove phony websites
Businesses in highly targeted industries, such as financial services and healthcare, frequently contract with businesses that can monitor for and remove faked copies of their websites. This is a strategy to prevent employees and consumers who click on a bad link from disclosing their login credentials to fraudsters.
Update security patches on a regular basis
Numerous phishing attempts take advantage of known vulnerabilities and exposures (CVEs) or security flaws. To avoid this, make sure to apply security updates that address these known threats on a regular basis.
Establish a routine for data backup
Frequently, phishing attacks leave malware behind, which may involve ransomware. To limit the impact of ransomware on your organization’s productivity, implement a robust data backup scheme that adheres to the 3-2-1 principle of three copies of data on two separate media, one of which is offshore.
How a DPO can help against phishing scams
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Every Organization’s DPO should be able to curb any instances of Phishing scams as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, we randomly conduct simulated email phishing to clients to see if there are any vulnerabilities present that a bad actor can exploit and patch them to ensure that the client will never be a victim of such a scam.
DPOs complement the efforts of Organizations in battling scams as DPOs ensure that when there is an instance of a cyberattack, a protocol for dealing with it has been established and can be employed to protect the personal data of clients. DPOs play a crucial role when an organization is hit with phishing attacks as they ensure safeguards are put in place to combat it when it happens.
Also Read: Guarding against common types of data breaches in Singapore